10 minute read | May.20.2024
The Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security, has proposed a rule that would govern whether, when, and how companies in critical infrastructure sectors report cybersecurity incidents and ransomware payments.
The Proposed Rule would require covered entities to report certain cyber incidents to CISA no later than 72 hours after the entity reasonably believes the incident occurred, and ransom payments within 24 hours of payment. The Proposed Rule also:
The Proposed Rule implements reporting requirements under Section 2242 of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CISA says reporting will enhance its “ability to identify trends and track cyber threat activity across the cyber threat landscape . . . .”
Companies and individuals can submit comments on the proposal to CISA by June 3. CISA is required to issue a final rule within 18 months of publication of the Proposed Rule, or by October 4, 2025.
Presidential Policy Directive 21 established 16 critical infrastructure sectors, including chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors (materials and waste), transportation systems, and water and wastewater systems.
Each sector had a plan that outlined critical functions in that sector. The sector-specific plan outlined guidelines for the types of industries included in the sector but did not provide definitive criteria on how a business would determine whether it is, in fact, a critical infrastructure.
The Proposed Rule adds some clarity by specifying an entity in a critical infrastructure sector would be covered if it exceeds the “small business” size under the North American Industry Classification System or if it operates under one or more enumerated sector-based criteria, including but not limited to:
It is important to note that some enumerated sectors remain vague, such as entities that own or operate financial services sector infrastructure and information technology entities. As such, the Proposed Rule may cover a variety of businesses, large and small, given the breadth of the definition of “covered entity.”
The Proposed Rule covers “substantial cyber incidents,” including those that result in:
The Proposed Rule expands third-party provider reporting on incidents that cause any of the effects above, including those caused through the compromise of a cloud service provider, managed service provider, or other third-party data hosting provider.
The Proposed Rule also covers “ransomware payments” as a result of a ransomware attack, which includes any occurrence that actually or imminently jeopardizes the confidentiality, integrity, or availability of information on an information system, or that actually or imminently jeopardized an information system through methods such as the threat or use of unauthorized or malicious code or denial of services attack, which disrupts any information or compromises data to extort a ransom payment.
The Proposed Rule imposes deadlines to report incidents:
The Proposed Rule establishes other reporting requirements and guidelines, including:
For cyber incidents and ransomware payments, a covered entity must report:
A covered entity reporting a cybersecurity incident also must disclose the category or categories of information the threat actor accessed or acquired.
For ransomware payments, the covered entity also must report:
If a covered entity experiences a cybersecurity incident and makes a ransom payment within 72 hours of discovering the incident, the entity may file a joint report consisting of all available required information.
If the covered entity makes a payment after 72 hours, the additional report is deemed to be a supplemental report.
The proposed rule requires covered entities to preserve records relating to the incident and ransom payments in their original format or form for at least two years from the date that the information is submitted to CISA. These records include, among other things, communications with the threat actor, log entries, forensic reports, network data, and information about exfiltrated data.
Covered entities may also be required to respond to subpoena requests from CISA for additional information. If CISA believes a business submitted materially false or fraudulent information, the CISA director may refer the matter to the Attorney General or other federal authorities for civil or criminal enforcement.
Many covered entities already have obligations to report incidents to sector-based regulators. The proposed rule includes a reporting exemption for them as long as an interagency agreement exists between the agency and CISA. At this time, there are no such interagency agreements in place. It is unknown how the interagency agreement process will mature over the next few years, and whether such submission would have similar protections to the information sharing restrictions provided under the Proposed Rule, including applicable non-waiver of privilege, protection from FOIA, and evidentiary and discovery bars for reports in connection with litigation.
Additionally, since third parties are authorized to report on behalf of a covered entity, there is potential that the process is more streamlined for supply chain compromises and other third party incidents that impact multiple covered entities.
Here are steps potentially covered entities should consider taking, particularly in the financial services, information technology, and healthcare sectors:
The biggest anticipated challenge for many businesses – particularly in the areas of financial services, information technology, and healthcare – is determining whether they meet the definition of a “covered entity.”
Financial services companies should determine whether their activities fall into the sector-specific descriptions of “critical financial functions”. That includes providers of:
If a financial services company does not fall into the categories under any critical financial function (or is a small business), it must then determine whether it falls into any enumerated function, including whether the company is a money services business.
Information technology companies must consider whether they fall into sector-specific descriptions of critical functions in the information technology space. That includes providers of:
If an IT company does not fall into such categories (or is a small business), it must then determine whether it provides “critical software” technologies or OT. If neither applies, the company should determine whether it has sold or plans to sell services to the federal government.
Healthcare entities must consider whether they fall into the sector-specific descriptions of critical functions in the healthcare space, which include:
If a health care entity does not fall into such categories (or is a small business), it must then determine whether it is a hospital with 100 or more beds or a critical access hospital, or whether it manufactures drugs listed in Appendix A of the Essential Medicines Supply Chain and Manufacturing Resilience Assessment or a Class II or Class III device.
Some companies may also be subject to the Rule due to a small portion of its business. The Proposed Rule covers any company required to report cyber incidents to the Department of Defense under DFARS Rule 252.204-7012. This requirement potentially encompasses a variety of small businesses, including consulting firms, where only a small percentage of work is derived from government contractors.
If you have questions about this proposed rule, please reach out to the authors (James Chou, Hayden Irwin, Thora Johnson, Beth McGinn and Joe Santiesteban).